In The Boardroom With...

SecuritySolutionsWatch.com: Thank you for joining us today, Bob. It’s an honor to speak with the “father of the 1st iPhone”. You’ve seen it all and heard it all ! Before discussing AllegisCyber in greater
detail, please give us a brief overview of your background.

Bob Ackerman: I'm the founder of AllegisCyber, a seed and early-stage venture capital firm investing in cybersecurity companies. I'm also a co-founder of DataTribe, a start-up studio building successful cybersecurity companies
in Maryland.

I founded Allegis Capital in 1996 after a successful career as a serial entrepreneur. In 2013, building on the firm’s historic success in cyber security investing and recognition of its effective focus on cyber, I subsequently changed its name to
AllegisCyber. The firm was both the industry’s first venture firm to focus exclusively on cyber security innovation and we raised the industry’s first dedicated cyber fund in 2015.

My founding mission for AllegisCyber was to build a seed and early-stage venture firm that would combine operational expertise with entrepreneurial spirit and a focus on forging partnerships with portfolio companies to build successful, sustainable cyber
technology companies.

I then co-founded DataTribe in 2015. DataTribe, based in Maryland, co-founds and grows cyber and data science technology startups, in partnership with subject matter expert engineers coming out of the U.S. intelligence community and U.S. national labs. I'm
happy to state that i was recognized as Fortune 100 cybersecurity executive and also as one of “Cybersecurity’s Money Men.”

Prior to founding AllegisCyber, I was President and CEO of UniSoft Systems, a leading UNIX systems house. I was also the Founder and Chairman of InfoGear Technology Corporation, a pioneer in the original integration of web and telephony technology and
the creator of the original IPhone, as you mentioned.

Outside of AllegisCyber and DataTribe, I taught New Venture Finance in the MBA program at the University of California for years. I currently co-manage my family’s Napa Valley winery—Ackerman Family Vineyards—and I'm an avid fly
fisherman.

Bob Ackerman: We are not just finance guys giving money to entrepreneurs – we build companies. We combine decades of successful entrepreneurial, operating and venture investment experience. Our team of Venture Partners
are proven industry veterans, each with decades of entrepreneurial success, building some of the market’s most successful companies. Our operating playbook leverages this experience together with our market, technology and domain expertise,
customer, entrepreneur and investor networks to help our entrepreneurial partners accelerate their growth, reduce start-up risk, lower overall capital requirements and improve the probability of market success.

Building a start-up company has been likened to running through a mine field, naked, in the middle of the night. The odds against success are long. Our playbook delivers a “map through the mine field” to our entrepreneurial partners,
translating to an “unfair competitive advantage” in challenging, dynamic, complex and rapidly evolving market.

SecuritySolutionsWatch.com: The Allegis Cyber Portfolio is indeed quite impressive with some very well known brands and some lesser known brands. We’ve got plenty of time and plenty of ink…want to give us a brief thumbnail of each company?

Bob Ackerman:

Area 1 provides performance-based cybersecurity that blocks phishing attacks that other solutions miss.

Callsign provides real time AI-driven Identity and authentication solutions that confirms if users really are who they say they are.

Attila mobilizes security at the edge where cyber threats matter. Their GoSilent technology was designed to protect government and enterprises from advanced cyber attacks, zero-day threats, and personal identity
theft.

CyberWire is an independent voice delivering concise, accessible, and relevant cyber security news to people all across the globe.

Dragos provides an industrial cyber security platform that delivers unprecedented visibility and prescriptive procedures to respond to adversaries in the industrial threat landscape.

Bob Ackerman: Timely advice about creating a worthwhile corporate cybersecurity strategy sagely starts by realizing that establishing firewalls and relying on the IT department to monitor attacks isn’t sufficient. Reactive
strategies break down over time, making proactive strategies crucial.

Further, defensive strategies work only within centralized, controlled and managed-device networks – all now tottering on the edge of extinction amid the proliferation of cloud computing, the Internet of Things (IoT) and mobile technology.

Experience continually reinforces the reality that the human element is the weakest link in cybersecurity. This means the most important proactive strategy of all is to train everybody in a corporation – and I mean everybody – in good cybersecurity
practices, along with their contractors and vendors. All employees should not only understand what is expected of them regarding company security policy and good online behavior, but also be trained to spot nefarious or suspicious activity and to
conduct periodic tests to ensure best practices are followed.

It is employees, after all, who are the first – as well as the last – line of cyber defense.

Corporations need to balance technological deterrents with agile, human-centric defenses. This is instrumental because cyber technology continually evolves, which means purely technological solutions cannot keep pace. In addition, it is much tougher to
play defense than offense, and attackers, unlike defenders, have patience on their side. And, too, many attackers are typically as knowledgeable as corporate cybersecurity pros and only to have to be right once to be successful, while cyber defenders
have to be right all the time.

Regardless, it is best to assume that defenses will be compromised at some point – no organization is cyberattack-proof – and to train employees what to do when that happens. The sustainability of the business ultimately hinges on what every
employee, internally and externally, does.

Training alone, of course, isn’t sufficient. Once it’s in place, corporations also need to create a highly tailored cybersecurity strategy.

Companies must reevaluate how their systems and networks are used and who uses them, and then implement a feedback loop. It would be wise to start with technical assessment of current areas of weakness and then follow up with a review of non-technical
matters. The technical assessment helps identify vulnerabilities within the network. Policy and employee assessments help identify non-technical areas that need to be assessed. It is essential that this process be open ended and repeated regularly.
Networks are dynamic. Assessments also must be.

Specific security programs then need to be implemented, plus steps to assure follow-through, such as the application of software updates and patches to help minimize vulnerabilities. Policies should also identify roles and responsibilities, including
acceptable use conditions for employees, and a point person needs to be chosen to make sure these are implemented and maintained.

Employees must be taught to recognize deceptive cyber ploys and other common threats to help enable them to act as the first line of defense against cyber attacks. In addition, they should be instructed about safe password management and secure browsing
practices.

Along the way, both technical and non-technical players should participate in shaping a security strategy. The technical folks ensure that the plan satisfies the needs of IT and business operations. Non-technical folks, meanwhile, are usually better at
nudging employees to take corporate cybersecurity policy seriously and at monitoring employee cyber policy.

Corporations also must establish protective monitoring to prevent and deter “insider” threats, whether intentional or accidental. This provides an over-arching view of cyber activity throughout the corporation and supports a positive culture
to deter bad behavior. And, of course, it helps companies combat the threat posed by insiders.

Most important of all, corporations and other organizations must build a solid and highly tailored cybersecurity foundation – i.e., a sound analysis of security capabilities from a bottom-up, device-centric perspective. The application of traditional
firewalls, intrusion prevention systems and multi-factor authentication (moving beyond two factors), for example, typically needs to be tweaked or changed substantially, depending on the devices and nodes used in a corporation.

Also part of a good foundation is an appreciation of context, which is how the network interacts with particular devices, as well as the realization that corporations must play offense, as well as defense.

Regarding context, company security staffers must determine which network nodes they can control and which they can merely observe in an advantageous manner. IoT devices, for example, offer the least control. Companies with lots of these might want to
consider the so-called “ring-fence” approach. This entails drawing a perimeter around devices that require access to similar resources in an effort to better monitor overall cyber behavior and react more quickly to problems.

Offense is often as important as defense because it helps instill a mindset of continuous cybersecurity improvement. Corporations should regularly challenge the quality of their cybersecurity defenses via proactive testing, commonly known as “red
team, blue team exercises.” Penetration tests and threat modeling, for instance, enables a red team to challenge lower-profile attack avenues to better understand their vulnerabilities. Defense-oriented blue teams, meanwhile, can help fix the
security weaknesses unearthed.

When the development and implementation of a cybersecurity strategy is completed, companies should take the trouble to gauge whether it is sufficient.

Here is an informal checklist:

Is cybersecurity policy driven from the top of the organization? A strong cyber strategy is a core corporate message, and it is driven by senior management. Remember, cyber security is about risk throughout the enterprise. IT is simply the vector.

Does cybersecurity come up at or near the start of every meaningful IT discussion? It’s much easier to implement cybersecurity early in the lifecycle, rather than as an add-on.

Is cybersecurity communicated in basic English? Every employee should understand what they need to know about cybersecurity. “Geek speak” is a no-no.

Has your company established a predictive security edge? Do you have the wherewithal to anticipate your adversary’s next move?

Does your data security system work in harmony? In other words, do your people, processes and technology work well together?

Are there ample “change agents” spread throughout the corporation? Advocates help spread the cybersecurity vision across the enterprise.

Does your corporation embrace cybersecurity? Cybersecurity is part of your cultural DNA. As such, it’s factored into all business decisions. Your organization naturally embraces good cybersecurity policies – without a second thought.

The current state of cyber security is heavily focused on defending IT infrastructure vulnerable to cyber compromise and mitigation and remediation in the event of a cyber attack. While this current focus is necessary and essential, longer term,
we need to shift our focus to securing and ensuring the integrity of data, which in itself is most often the target of a cyber attack. This “data-centric” approach to cyber will lead the next wave of integrated cyber security
through data science innovation.

The emergence of AI-driven chatbots. In 2019, cybercriminals and black hat hackers will create malicious chatbots that try to socially engineer victims into clicking links, downloading files or sharing private information. A hijacked
chatbot could easily misdirect victims to nefarious links rather than legitimate ones. Attackers are also likely to leverage web application flaws in legitimate websites to insert a malicious chatbot into a site that doesn’t have one.

Attacks on cities with crimeware-as-a-service, a new component of the underground economy. Adversaries will leverage new tools that among other things attack data integrity, disabling computers to the point of requiring mandatory
hardware replacements. Terrorist-related groups will be the likely culprits.

A significant increase in nation-state attacks. Russia has been a leader in using targeted cyberactions as part of larger objectives. In 2018, for example, the FBI disclosed that Sofacy group, a Russian persistent threat actor, infected
more than 500,000 home office routers and network attached to storage devices worldwide to remote control them. Look for other nation-states to follow the same sort of playbook, helped by billions of poorly secured IoT devices.

The growing weaponization of data. Already a huge problem, it is certain to worsen, notwithstanding efforts among some technology giants to enhance user security and privacy. Balancing the negatives with the positives, tens of millions
of comprised web users have begun to seriously question how much they really benefit from the Internet.

Consider, for example, Facebook, which has made no secret of using personal data and “private” correspondence to annually generate billions of dollars in profits. Users willingly “like” interests and brands, volunteering personal
information. This enables Facebook to provide a more complete image of its user base — a gold mine for advertisers.

Much worse, Facebook in 2018 tried to manipulate user moods through an “emotional contagion” experiment. This pitted users against their peers to influence their emotions, i.e. the weaponization of data.

A resurgence in ransomware. Ransomware exploded onto the scene in 2017 following the WannaCry outbreak and a series of successful follow-up ransomware attacks targeting high-profile victims. According to the FBI, total ransomware
payments in the U.S. have in some years exceeded $1 billion. There were scant high-profile ransomware victims in recent months, but the problem is highly likely to bounce back strongly in 2019. Ransomware attacks come in waves, and the next one is
due.

Increased subversion of software development processes and attacks on software update supply chains. Regarding software development, malware has already been detected in select open-source software libraries. Meanwhile, software
update supply chain attacks violate software vendor update packages. When customers download and install updates, they unwittingly introduce malware into their system. In 2017, there was an average of one attack every month, compared to virtually
none in 2016, according to Symantec. The trend continued in 2018 and will become worse this year.

More cyber attacks on satellites. In June 2018, Symantec reported that an unnamed group had successfully targeted the satellite communications of Southeast Asia telecom companies involved in geospatial mapping and imaging. Symantec
also reported attacks originating in China last year on a defense contractor’s satellite.

Separately, we learned in August 2018 at the annual Black Hat information security conference that the satellite communications used by ships, planes and the military to connect to the Internet are vulnerable to hackers. In the worst-case scenario, the
research said, hackers could carry out “cyber-physical attacks” that could turn satellite antennas into weapons that essentially operate like microwave ovens.

SecuritySolutionsWatch.com: Thanks again for joining us today, Bob. Any other subjects you’d like to discuss?

Bob Ackerman: Yes, I believe that 2019 will be the worst year yet for cyber attacks -- a sad reality as companies increasingly pursue digitization to drive efficiency and simultaneously move into the “target zone” of
cyberattacks. This bad news is compounded by the harsh reality that there are not nearly enough cybersecurity pros to properly respond to all the threats.

The technology industry has never seen anything quite like it. Seasoned cyber pros typically earn $95,000 a year, often markedly more, and yet job openings can linger almost indefinitely. The ever-leaner cybersecurity workforce makes many companies desperate
for help.

Between September 2017 and August 2018, U.S. employers posted nearly 314,000 jobs for cybersecurity pros. If they could be filled, that would boost the country’s current cyber workforce of 714,000 by more than 40%, according to the National Initiative
for Cybersecurity Education. In light of the need, this is still the equivalent of pocket change.

Global Gap of Nearly 3 Million Cybersecurity Positions

In a recent study, (ISC)2 – the world’s largest nonprofit association of certified cybersecurity pros – said there is now a gap of almost 3 million cybersecurity jobs globally – substantially more than other experts said might
be the case years into the future.

Companies are trying to cope in part by relying more aggressively on artificial intelligence and machine learning, but this is still at a relatively nascent stage and can never do more than mitigate the problem. Big companies have their hands full, and
it’s even worse for smaller enterprises. They’re attacked more -- sometimes as a conduit to their larger business partners – because their defenses are weaker.

So what kind of cyber talent are companies and government entities looking for?

Preferably, they want people with a bachelor’s degree in programming, computer science or computer engineering. They also warm up to an academic background replete with courses in statistics and math. They want cybersecurity certifications as well,
and, of course, experience in specialties plagued by staffing shortages, such as intrusion detection, secure software development and network monitoring.

These are ideal candidates, but, in fact, the backgrounds of budding cyber pros need not be nearly this good.

Only Recently Has Formal Training Existed

Cybersecurity has long been a field that has embraced people with nontraditional backgrounds. Almost no cybersecurity pro over 30 today has a degree in cybersecurity and many don’t even have degrees in computer science. Professionals need some training
to become familiar with select tools and technologies – usually at a community college or boot camp -- but even more they need curiosity, knowledge of the current threat landscape and a strong passion for learning and research. Particularly
strong candidates have backgrounds as programmers, systems administrators and network engineers.

Asking too much from prospective pros isn’t the only reason behind the severe cyber manpower shortage. In general, corporations do too little to help their cyber staffs stay technically current and even less when it comes to helping their IT staffs
pitch in.

(ISC) 2 formalized a study of more than 3,300 IT professionals less than 18 months ago and learned that organizations aren’t doing enough to properly equip and power their IT staffs with the education and authority to bolster their implementation
of security technologies.

Inadequate Corporate Cyber Training

One key finding was that 43% of those polled said their organization provides inadequate security training resources, heightening the possibility of a breach.

Universities suffer shortcoming as well. Roughly 85 of them offer undergraduate and/or graduate degrees in cybersecurity. There is a big catch, however. Far more diversified computer science programs, which attract substantially more students, don’t
mandate even one cybersecurity course.

Fortunately, positive developments are popping up on other fronts. Select states have begun taking steps to help organizations and individuals alleviate a talent shortage by building information sharing hubs for local businesses, government and academia
-- all revolving around workforce development.

Georgia recently invested more than $100 million in a new cybersecurity center. A similar facility in Colorado, among other things, is working with area colleges and universities on educational programs for using the next generation of technology. Other
states have begun following in their wake.

On another front, there is discussion about a Cybersecurity Peace Corps. The model would be similar to the original Peace Corps but specific to nascent cybersecurity jobs. The proposed program -- which would require an act of Congress and does not yet
exist -- would place interested workers with nonprofits and other organizations that could not otherwise afford them and pay for their salaries and training.

Cyber Boot Camps and Community College Programs

Much further along are cyber boot camps and community college cybersecurity programs. The boot camps accept non-programmers, train them in key skills and help them land jobs. Established boot camps that have placed graduates in cyber jobs include Securest
Academy in Denver, Open Cloud Academy in San Antonio and Evolve Security Academy in Chicago.

There are also more than a dozen two-year college cybersecurity programs scattered across the country. A hybrid between a boot camp and community college program is the City Colleges of Chicago (CCC), which partners with the Department of Defense on a
free cybersecurity training program for active military service members.

A small handful of technology giants have also stepped into the fray. IBM, for example, creates what it calls “new collar” jobs, which prioritize skills, knowledge and willingness to learn over degrees. Workers pick up their skills through
on-the-job training, industry certifications and community college courses and represent 20% of Big Blue cybersecurity hires since 2015.

Technology companies still must work much harder to broaden their range of potential candidates, seeking smart, motivated and dedicated individuals who would be good teammates. They can learn on the job, without degrees or certificates, and eventually
fit in well. You can quibble with how much time, energy and work this might take. It’s clear, however, that there is no truly viable alternative.